One in four data breaches involves schools

By Meris Stansbury, Assistant Editor, eSchool News

May 14th, 2008

Cyber criminals are becoming bolder and more sophisticated in their operations, federal computer security experts say. And that’s bad news for schools, because educational institutions reportedly account for approximately one of every four data security breaches.

At a recent Educause/Internet2 conference for computer security professionals, federal and private-sector officials discussed the evolution of cyber criminals and the latest group of security threats. Their goal was twofold: to share strategies for protecting campus information, and to press upon school leaders the importance of educating a new generation of cyber defenders.

"A big shift is occurring: Hackers are becoming thieves, and everything from intellectual property to identities are being stolen in record numbers," said Brian Foster, vice president of product management for Symantec Corp.

As conference attendees–who ranged from those in suits sporting security badges to internet junkies with ripped jeans and various equipment bags–laughed and got to know each other over waffles and grapefruit, the mood suddenly sobered as Gregory Garcia, assistant secretary of cyber security and communications for the Department of Homeland Security (DHS), took the podium.

"Threats are becoming more sophisticated and are occurring on a global level," said Garcia. According to DHS statistics, more than 1 million malicious codes have been written, an increase of 500 percent since last year. On any given day, 40 percent of those codes are "botnets"–a collection of software robots, or bots, that run autonomously and on groups of "zombie" computers controlled remotely.

In fact, according to these same statistics, more malicious code is written than regular code–and more than 80 percent of organizations affected by botnets are not aware they’ve been compromised.

However, "phishing" is still the most common cyber threat, with more than half of all scams masquerading as government web sites.

PrivacyRights.org, a web site that tracks the number of records containing sensitive personal information that are involved in security breaches, notes that since January 5 nearly 227 million records have been breached.

"Cyber criminality is shifting from fame-motivated hackers to financially motivated thieves," said Foster. "Hackers were highly visible, indiscriminate, and had only a few named variants. Today’s cyber thieves are silent, highly targeted, and have overwhelming variants."

Foster said companies and organizations today send more than 70 percent of their intellectual property through eMail, which is risky, considering that 40 percent of all malicious code trends deal with the sharing of executable files and 32 percent with eMail file attachments. Stolen information is then sold through online black markets to the highest bidder.

"The education sector accounts for the majority of data leakages with 24 percent of all breaches, followed closely by the government," revealed Foster. "And unfortunately, theft and loss are still the [top] reasons that data leakages occur."

DHS is well aware of these threats and is leading a coordinated effort to ensure national security. "Cyber security is a top priority for DHS in 2008," said Garcia.

Garcia explained that DHS plans to add 40 new cyber security positions–but for the agency to hire qualified workers, the U.S. needs to build up an educated workforce.

DHS plans to provide ongoing professional development to all IT staff in the nation with a new resource in development called the "Essential Body of Knowledge (EBK): A Competency and Functional Framework for IT Security Workforce Development."

The EBK is an initiative to map IT security competencies to specific roles and responsibilities that apply equally in government and private-sector environments.

"There [has been] no single, foundational document that synthesizes all of the information into a single resource conceptualizing the needs of an entire IT security community … until now," said Garcia.

Another DHS project, called the Trusted Internet Connections (TIC) Initiative, aims to optimize individual networks into a common solution for the federal government. The TIC would reduce access points in the .gov domain to about 50 points, so that hackers and thieves would have less to target.

This will help the government become more aware of its own domain, but Garcia also wants to spur the sharing of information between IT organizations to help the U.S. public become more aware of cyber security as well.

Explained Garcia, "Hopefully, by providing these partnerships, information will become more widely dispersed, allowing the public to not only identify attacks on their information, but also protect against those attacks."

Providing strong public-private partnerships and encouraging the sharing of information is part of the National Infrastructure Protection Plan (NIPP), which sets national priorities, goals, and requirements for effective distribution of funding and resources that will help ensure that the government, economy, and public services continue in the event of a terrorist attack or other disaster.

NIPP also provides for implementing a long-term risk management program. NIPP essentially provides a framework that defines the processes and mechanisms that federal, state, local, and tribal governments will use to protect critical cyber infrastructure and key resources across all sectors over the long term.

"With NIPP, we can establish benchmarks, such as ‘what are our vulnerabilities, and how can we deal with these?’" said Garcia.

Garcia said DHS plans to increase cyber security funding by several millions of dollars over the next few years, but short-term plans are under way as well.

"We’re working on developing a system that disperses real-time response information during security threats, as well as planning to hire between 35 and 40 individuals as part of the United States Computer Emergency Readiness Team (US-CERT)."

Garcia explained that 14 of these individuals will be recent college graduates.

"We’re actively recruiting college students, because they have a strong interest in government work. Sure, they know they could make more money in the private sector, but only the government can give them unique situations to work with. We’re interested in tapping into this new patriotism, but we need more programs to develop those skill sets in both the graduate and post-graduate levels," said Garcia.

Other short-term plans include talking with vendors at the DHS-DoD (Department of Defense) Software Assurance Forum, where Garcia will be encouraging software vendors to create secure code, as well as giving advice on how to build security into the design and implementation phases. In addition, the DHS web site soon will include a Software Assurance Guide for Curriculum Planning and a Software Assurance Acquisition Guide.

"We need to develop plans on how to make sure our software and outsourced software is secure," explained Garcia. "We need to set standards. This goes especially for college campuses, where security is a major concern."

For example, "antivirus software is becoming outdated," said Foster. "Most data loss occurs because students bring their own laptops without the proper protection."

Foster then discussed Symantec’s solution for Temple University. Temple participates in the Symantec Rewards program, a contractual licensing program that provides perpetual licenses for antivirus, security, and computer imaging software, as well as software maintenance and support.

Garcia concluded by giving the participants advice on what they can do to help themselves while waiting for the EBK and other initiatives:

"Understand what you’re protecting–who’s using this information, what are they using, and why are they using it; build and strengthen communications with your IT provider; and contact REN-ISAC to get involved. Finally, spread the word about cyber security; help generate awareness."

Don’t forget to visit the Safeguarding School Data resource center. It seems like you can’t go a whole week lately without hearing about some major data security breach that has made national headlines. For businesses, these data leaks are bad enough—but for schools, they can be especially costly, as network security breaches can put schools in violation of several federal laws intended to protect students’ privacy. Go to: Safeguarding School Data